RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On (RSSO). This differs from the packet use of RADIUS accounting (RADIUS accounting sources).

The accounting proxy needs to know:

the rule sets to define or derive the RADIUS attributes that the FortiGate unit requires,

the source of the RADIUS accounting records (i.e. the RADIUS server),

and the destination(s) of the accounting records (i.e. the FortiGate units using this information for RSSO authentication).

To add RADIUS accounting proxy rule sets:

From the rule set list, select Create New. The Create New Rule Set window opens.

Enter the following information:

Name

Enter a name to use when selecting this rule set for an accounting proxy destination.

Description

Optionally, enter a brief description of the rule’s purpose.

Rules

Enter one or more rules.

Action

The action for each rule can be either Add or Modify.

Add: Add either a static value or a value derived from an LDAP server.

Modify: Rename an attribute.

Attribute

Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.

Attribute 2

If Action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute.

Value type

If the action is set to Add, select a value type from the dropdown menu.

Static value: Adds the attribute in the Attribute field containing the static value in the Value field.

Group names: Adds attribute in the Attribute field containing "Group names" from the group membership of the Username Attribute on the remote LDAP server.

Value

If the action is set to Add and Value Type is set to Static value, enter the static value.

Username attribute

If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.

Remote LDAP

If the attribute addition requires an LDAP server, select one from the dropdown menu. See LDAP for information on remote LDAP servers.

Description

A brief description of the rule is provided.

Add another Rule

Select to add another rule to the rule set.

Select OK to create the new rule set.

Example rule set

The incoming accounting packets contain the following fields:

User-Name

NAS-IP-Address

Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

User-Name

NAS-IP-Address

Fortinet-Client-IP-Address

Session-Timeout: Value is always 3600

Fortinet-Group-Name: Value is obtained from user's group membership on remote LDAP

The rule set needs two rules to add Session-Timeout and Fortinet-Group-Name. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed. A maximum of 500 proxy sources can be configured.

To add a RADIUS accounting proxy source:

Enter the name of the RADIUS server. This is used in FortiAuthenticator configurations.

Source name/IP

Enter the FQDN or IP address of the server.

Secret

Enter the pre-shared secret required to access the server.

Description

Optionally, enter a description of the source.

Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.

To add a RADIUS accounting proxy destinations:

Enter a name to identify the destination device in your configuration.

Destination name/IP

Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records.

Secret

Enter the pre-shared key of the destination.

Source

Select a RADIUS client defined as a source from the dropdown menu. See Sources.

Rule set

Select an appropriate rule set from the dropdown menu or select Create New to create a new rule set. See Rule sets.

Select OK to add the RADIUS accounting proxy destination.

RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On (RSSO). This differs from the packet use of RADIUS accounting (RADIUS accounting sources).

The accounting proxy needs to know:

the rule sets to define or derive the RADIUS attributes that the FortiGate unit requires,

the source of the RADIUS accounting records (i.e. the RADIUS server),

and the destination(s) of the accounting records (i.e. the FortiGate units using this information for RSSO authentication).

To add RADIUS accounting proxy rule sets:

From the rule set list, select Create New. The Create New Rule Set window opens.

Enter the following information:

Name

Enter a name to use when selecting this rule set for an accounting proxy destination.

Description

Optionally, enter a brief description of the rule’s purpose.

Rules

Enter one or more rules.

Action

The action for each rule can be either Add or Modify.

Add: Add either a static value or a value derived from an LDAP server.

Modify: Rename an attribute.

Attribute

Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.

Attribute 2

If Action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute.

Value type

If the action is set to Add, select a value type from the dropdown menu.

Static value: Adds the attribute in the Attribute field containing the static value in the Value field.

Group names: Adds attribute in the Attribute field containing "Group names" from the group membership of the Username Attribute on the remote LDAP server.

Value

If the action is set to Add and Value Type is set to Static value, enter the static value.

Username attribute

If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.

Remote LDAP

If the attribute addition requires an LDAP server, select one from the dropdown menu. See LDAP for information on remote LDAP servers.

Description

A brief description of the rule is provided.

Add another Rule

Select to add another rule to the rule set.

Select OK to create the new rule set.

Example rule set

The incoming accounting packets contain the following fields:

User-Name

NAS-IP-Address

Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

User-Name

NAS-IP-Address

Fortinet-Client-IP-Address

Session-Timeout: Value is always 3600

Fortinet-Group-Name: Value is obtained from user's group membership on remote LDAP

The rule set needs two rules to add Session-Timeout and Fortinet-Group-Name. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed. A maximum of 500 proxy sources can be configured.

To add a RADIUS accounting proxy source:

Enter the name of the RADIUS server. This is used in FortiAuthenticator configurations.

Source name/IP

Enter the FQDN or IP address of the server.

Secret

Enter the pre-shared secret required to access the server.

Description

Optionally, enter a description of the source.

Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.